Policy for Account Lockout

This section explains the policy attributes that govern account lockout.

A Directory Server account refers loosely to a user's entry and to
the permissions that user has to perform operations on the directory. Each
account is associated with a bind DN and a user password. When an intruder
appears to be trying to crack a password, you want Directory Server to
lock the account. The lock prevents the intruder from using the account to
bind. The lock also prevents the intruder from being able to continue the
attack.

As administrator, you can also manually render inactive an account or
the accounts of all users who share a role. See Manually Locking Accounts for
instructions. Yet, a key part of your password policy is specifying under
what circumstances Directory Server locks an account without your
intervention.

First of all, you must specify that Directory Server can use pwdLockout(5dsat) to automatically lock accounts when too many failed
binds occur. Directory Server keeps track of consecutive failed attempts
to bind to an account. You use pwdMaxFailure(5dsat) to specify how many consecutive
failures are allowed before Directory Server locks the account.

Directory Server locks accounts strictly according to password policy.
The operation is purely mechanical. Accounts can lock not because an intruder
is mounting an attack against the account, but because the user typed the
password incorrectly. Thus, you can use pwdFailureCountInterval(5dsat) to specify
how long Directory Server should wait between tries before cleaning out
the records of failed attempts. You use pwdLockoutDuration(5dsat) to specify
how long lockout should last before Directory Server automatically unlocks
the account. The administrator does not have to intervene to unlock accounts
of users who make legitimate mistakes with no malicious intent.